Awesome
Guidelines
- Prevent overblocking by utilizing the law of diminishing returns (e.g., using sane, quality blocklists).
- Pass the girlfriend test with few exceptions. These deviations are documented throughout the guide.
Contents
Sign up
Create an account, or take advantage of Control D's free resolvers.
Profiles
Once you create an account, you will have a Profile. This will either be one of the pre-made profiles with example rules or a blank customizable profile.
:bulb: Since your Profile already exists when you create a new account, you only need to create your first Device and enforce this Profile to get up and running. This automatically generates the DNS resolvers while keeping things simple — associating one Profile to one Device.
Profiles are divided into Filters, Services, Custom Rules, and Profile Options.
Create a profile
To create a profile, select the big green +
button at https://controld.com/dashboard/profiles.
You'll be asked for a Profile Name and given a list of Options. See Profile Options to decide which ones to enable.
Endpoints
Endpoints (formerly Devices) enforce profiles. Every device is assigned to a profile.
Create a device
To create a device, select the big green +
button at https://controld.com/dashboard/devices and add the devices that you use.
When adding a new Device, you must select its type from one of the following categories: desktop or mobile OS, smart TV OS, web browser, or router.
While the device type does not impact the assigned DNS resolvers, it determines the setup guide and automatic configuration steps displayed later. The automated setup is recommended for most beginners.
Customizations
Filters
:bulb: A few well-chosen filters provide comprehensive protection.
:warning: Since DNS is vital for websites to load properly, overblocking will cause a lot of headaches.
Filters, or blocklists, prevent select websites from resolving. They primarily target ads, trackers, and malicious sites.
All filters are updated every 15-30 minutes.
Native
Control D maintains these filters. Some filters have multiple modes (Relaxed, Balanced, Strict).
3rd Party
These are popular community maintained filters. Hundreds of volunteers contribute to these lists in the open-source community.
While most DNS blocklists aggregate their entries from other sources, they do not include their source's allowlist. They must manually build an allowlist over time. Therefore, when it comes to protecting yourself, adding multiple 3rd party lists does not provide substantial benefits. Rather, it only increases your chances of false positives.
The key is to choose reputable filters that balance breadth with accuracy. Ultimately, false positives can disrupt legitimate traffic, so quality is preferable over quantity when selecting blocklists.
I strongly recommend Hagezi's DNS lists for his:
- sensible allowlist (doesn't overblock = smooth browsing experience)
- quick handling of false positives (within the same day, if not sooner)
- unique entries combined with respected community filters like OISD, Steven Black, and other sources
You can choose other 3rd party lists, but they aren't needed.
Recommendations
I have three builds below, using a combination of both native and 3rd party filters:
- The first build, Basic, allows for seamless browsing while still blocking ads, trackers, and malicious sites.
- The second build, Hardened, increases defenses against trackers and malicious sites.
- A third build, Aggressive, goes further but with a higher chance of false positives.
These are only suggestions. Feel free to mix and match.
Build | Native | 3rd Party |
---|---|---|
Basic | Malware (Relaxed) <br> Phishing | Hagezi's DNS - Normal <p><p>Hagezi's DNS - TIF |
Hardened | Dynamic DNS <br> Malware (Balanced) <br> New Domains (Last Week)<sup>1</sup> <br> Phishing | Hagezi's DNS - Pro <p><p> Hagezi's DNS - TIF |
Aggressive | Clickbait <br> Dynamic DNS <br> IoT Telemetry <br> Malware (Strict)<sup>2</sup> <br> New Domains (Last Month)<sup>1</sup> <br> Phishing | Hagezi's DNS - Pro Plus <p><p> Hagezi's DNS - TIF |
<sup> 1 Blocking newly registered domains (NRDs) may cause false positives occasionally. Be selective when adding NRDs to your allowlist; and, if you do, NEVER give sensitive information to a NRD. </sup> <br> <sup> 2 Strict mode may be especially prone to false positives. Drop down to Balanced mode if false positives frequently disrupt browsing. </sup>
Not all ads can be blocked at the DNS level. You will need an ad blocker to block what's leftover.
This is because not all ads come from third-party domains. Some ads come directly from the site you're visiting, like YouTube. DNS blockers stop the resolution of a domain, and content blockers filter page content.
- Find web browser and ad blocker recommendations to easily install a lightweight ad blocker.
- Want to block more with your ad blocker? Check out my custom filter lists.
Services
Services allows you to customize blocking and allowing sites and apps at a granular level.
To access Services, go to https://controld.com/dashboard/profiles > Edit > Services.
Easy exceptions
You can use Services to create easy exceptions.
For example, let's say you want to block all social media except Instagram:
- Enable the Social filter on your Profile to block all social media sites (Profile > Edit > Filters > Social).
- Go to Services (Profiles > Edit > Services).
- Open the Social category and toggle Instagram.
- Create a Bypass rule to allow Instagram.
Now you can still access Instagram while blocking other social media services.
Targeted blocking
Alternatively, you can use Services to block only specific social media sites rather than the whole category.
In this scenario, you only want to block TikTok and Facebook:
- Go to Services (Profiles > Edit > Services).
- Open the Social category and toggle Facebook.
- This will allow you to create a Block rule to block Facebook.
- Repeat 2 and 3 for TikTok.
This way, you can still access all social media companies except Facebook and TikTok.
As you can see, Services help you tailor your blocking to your specific needs, and it's easier than hunting down and copying + pasting URLs to your Custom Rules.
Custom Rules
Custom Rules allows you to organize domains into groups.
To access Custom Rules, go to https://controld.com/dashboard/profiles > Edit > Custom Rules.
Logical groups
You can create folders to categorize domains, then apply rules to those domains.
Action folders
Alternatively, you can assign one rule to an entire folder. That rule will then apply to all domains within that folder.
I advise that you do this when creating two folders, an Allowlist and a Denylist, and then add domains to them as needed.
Allowlist
Domains added to the Allowlist folder will always resolve.
To create an allowlist:
- Under the desired profile, add the folder by clicking the big green
+
button. - Select Folder.
- Under Folder Name, type
Allowlist
. - Toggle Folder Rule.
- Under Select Rule, select the middle option Bypass.
Denylist
Domains added to the Denylist folder entries are always blocked.
To create an denylist:
- Under the desired profile, add the folder by clicking the big green
+
button. - Select Folder.
- Under Folder Name, type
Denylist
. - Toggle Folder Rule.
- Under Select Rule, make sure Block is selected.
:memo: Note that Control D disables iCloud Private Relay by default (read more).
Profile Options
AI Malware Filter
Disable
Enable in (Relaxed Mode) for Aggressive profiles.
Safe Search
Disable
Enable for Kids profile.
Restricted Youtube
Disable
Enable for Kids profile.
DNS Rebind Protection
Enable
DNS Rebind Protection prevents malicious requests from bypassing security measures on your device. For example, if you visit google.com
and it resolves to a private IP address like 10.0.0.1
, DNS Rebind Protection would block access. This stops attackers from using rebinding techniques to access private networks and endpoints that should not be publicly reachable.
Disable DNSSEC
Enable
:bulb: Control D sits between you and the upstream DNS servers, giving it full control over your DNS records. This reduces the value of DNSSEC's authentication.
:warning: DNSSEC can make things slower and break some sites.
DNSSEC is a security protocol that enhances DNS by using digital signatures to verify the authenticity and integrity of DNS data. The protocol cryptographically signs DNS records using public key cryptography, allowing the DNS resolver to verify that the DNS responses they receive are valid and from the authoritative source, rather than being manipulated by attackers.
DNS over HTTPS (DoH) and similar protocols do not eliminate the need for DNSSEC to validate the integrity of DNS data. However, when using a service like Control D that can modify DNS records based on user-defined rules, there is little added benefit to enabling DNSSEC validation.
Control D also states that DNSSEC<sup>1</sup> requires a separate DNS resolver and cache, which impacts performance.
<sup> 1 At this time, DNSSEC validation and EDNS Client Subnet (ECS) are grouped together in this settings.</sup>
TTL Overrides
:bulb: Increasing the TTL values caches DNS records for longer periods, which minimizes queries and optimizes performance.
:warning: Do not set higher than 24 hours.
Every DNS record has a time-to-live (TTL) value that determines how long devices cache the record before requesting an update from the DNS server. This caching reduces DNS queries and can improve performance.
Below are possible values to use for DNS caching, measured in seconds.
Value | Duration |
---|---|
60 | 1 minute |
300 | 5 minutes |
3600 | 1 hour |
28800 | 8 hours |
43200 | 12 hours |
86400 | 24 hours |
Block TTL
Enable
Default value: 10
(10 seconds)
<br> Recommended value: 60
(1 minute)
Block TTL increases the time-to-live for DNS records blocked by Control D. A higher value means fewer DNS lookups for blocked requests, but also a longer delay between unblocking a domain and it becoming accessible.
:bulb: The less aggressive your Profile is, the more comfortable you may be setting this to a higher value.
Redirect TTL
Enable
Default value: 20
(20 seconds)
<br> Recommended value: 300
(5 minutes)
A redirect rule spoofs the domain to a proxy location or alternate IP address. Redirect TTL increases the time-to-live for DNS redirected by a Service, Custom Rule, or the Default Rule. A higher value means fewer DNS lookups, but also a longer delay between changing locations and the new location settings taking effect on a Device.
:warning: If you adjust redirect rules often, you may want to leave this disabled.
Bypass TTL
Enable
Default value: 60
(1 minute)
<br> Recommended value: 3600
(1 hour) or 86400
(24 hours)
Bypass TTL increases the time-to-live for DNS records that were not blocked or redirected (i.e. 'normal' requests), and passed to the upstream resolver. A higher value means fewer DNS lookups, but can cause websites to break if set beyond 24 hours.
Advanced Users
Multiple Devices and Profiles
Organizing profiles
This is where you can get creative. What you name the profiles doesn't matter much; what matters is the options you will enable with each profile.
For example, you may create two profiles, and then later link devices to one of the two profiles:
- Hardened (for web browsers, computer, smartphone): more nuanced protection with greater risk of false positives.
- Relaxed (for router, smart TV): set-and-forget; low chance of false positives.
Are you managing DNS for just you? Then you may need only one or two profiles. Your family? Then maybe three or four profiles.
If you have kids, you might have:
- Administrator (you the administrator; stronger settings)
- Adults (spouse, grandparents; slightly relaxed settings)
- Kids (with parental controls active)
Or a combination of the two approaches:
- Hardened: heightened security and privacy options, since you're maintaining the DNS and don't mind troubleshooting (for web browsers, computer, smartphone)
- Relaxed: balance of security and privacy options (for smart TV, your spouse's devices)
- Kids: same as Relaxed but with parental controls active
- Basic: legacy resolver, security options, but minimal privacy filters (for router)
You get the idea.
Organizing devices
Remember that devices enforce profiles.
You can add as many Devices as you'd like. I have a Device created for each web browser I use, and one for my phone, computer, smart TV, and router.
Let's use the profile names from earlier. You might have:
Device Name | Enforced Profile |
---|---|
Firefox | Hardened |
Chrome | Hardened |
iPhone | Hardened |
Wife's iPhone | Relaxed |
Wife's Mac | Relaxed |
Susie's iPad | Kids |
Living Room TV | Basic |
Router | Basic |
If desired, Control D allows enforcing two profiles on a single device. Multiple linked profiles allow you to enforce rules from two profiles simultaneously when using a device.
:bulb: You can read more on advance rule logic in the docs.
Wildcard rules
Wildcard rules allow you to block a wide spectrum of domains without listing them separately. This format is what Control D uses in their blocklists.
Control D can block subdomains by adding wildcards like *.domain.com
to your Denylist. Blocking *.domain.com
prevents access to all subdomains of domain.com
without blocking the root domain itself.
For instance, adding *.analytics.com
to the Denylist stops requests to subdomains like tracking.analytics.com
or metrics.analytics.com
while still allowing access to the main analytics.com
site.
:world_map: To access Custom Rules, go to https://controld.com/dashboard/profiles > Edit > Custom Rules.
Import & Export Folders
Import
Control D allows you to import and export folders from other users under Custom Rules.
To download a folder:
- Click the link.
- On Github, select the
...
button in the top-right corner. - Click Download.
- On Control D - Custom Rules, select the
...
icon. - Click Upload Folder.
TLDs
You may want to add a folder to block certain TLDs and IDNs.
Hagezi has compiled folders for you to easily import into Control D, such as:
International IPs
[!WARNING] These rules may lead to false positives (example).
I created a folder to block IP addresses from certain countries (see Geo Custom Rules). These countries have high rates of cybercrime or state-sponsored spyware activity. This folder excludes or disables rules affecting countries with high server traffic from other nations, such as the Netherlands and Israel.
After importing the folder, review the list and disable certain rules if they affect your region or travel destinations.
Export
Want to share your folder? You can export it by clicking the ...
button in a folder and selecting Download Rules.
Spoofing Domains
A redirect rule proxies all domains associated with a Service to a location or IP address you specify.
Examples
Category | Service | Destination |
---|---|---|
Finance | Citi | Dallas, US |
News | The New York Times | New York, US |
Tools | Bing | Charlotte, US |
- Websites or apps employing legacy security protocols might not be accessible when attempting to bypass geo-restrictions. The redirect rule requires Server Name Indication (SNI), which is not supported in these older standards. This prevents the bypassing method from functioning as intended.
- Currently, the unencrypted SNI allows ISPs and network admins to see your visited sites when analyzing traffic with Deep Packet Inspection (DPI). Encrypted Client Hello (ECH) is coming but it's not widely used yet.
- Control D is not a VPN; it will not bypass government restrictions.
Instructions
Control D provides a simple and effective way to use DNS-based traffic redirection for popular services
- To access services, go to https://controld.com/dashboard/profiles > Edit > Services.
- Choose a category.
- Select the third icon (globe).
- Choose a proxy location.
Geo Custom Rules
[!WARNING] These rules may lead to false positives (example).
:hammer_and_wrench: This feature is still in beta.
Geo Custom Rules (GCRs) allow you to create custom rules based on the geo-location data of source and destination IPs for DNS queries. These rules allow you to redirect, block, or bypass domains that resolve to IPs in the chosen country.
GCRs start with the formats below, followed by a two-letter ISO country code.
Symbol | Definition |
---|---|
@ | Domains resolve to an IP address in a destination country. |
!@ | Domains do not resolve to an IP address in a destination country. |
Create a folder (optional)
I recommend you put all these rules in their own folder:
- To access Custom Rules, go to https://controld.com/dashboard/profiles > Edit > Custom Rules.
- Under the desired profile, add the folder by clicking the big green
+
button. - Select Folder.
- Under Folder Name, type
Geo Custom Rules
. - Click Add Folder.
Block Examples
1) Block specific countries
Let's assume you only want to block DNS queries to domains that resolve to servers in countries with known cybersecurity threats like Russia or China.
You would create the following two rules @RU
and @CN
both with a block rule, to stop anything that resolves to a Russian or Chinese IP.
Rule | Symbol | Country | Description |
---|---|---|---|
Block | @ | RU | Block domains that resolve to a Russian IP address. |
Block | @ | CN | Block domains that resolve to a Chinese IP address. |
Result: Web requests that would resolve in those countries are blocked.
:bulb: I created a folder called Potentially Malicious IPs to block countries with high suspected state-sponsored spyware activity or cybercrime rates. If you live outside the U.S. or travel internationally, you should review the list after importing.
2) Lockdown network
So let's say you're a real glutton for punishment and want to limit your network connections to only the United States and Canada. Control D can understand multiple !@
block rules, if you want to limit your DNS resolutions to a handful of countries.
You would use !@US
and !@CA
both with a block rule, to prevent any DNS resolutions to domains outside of these countries.
Rule | Symbol | Country | Description |
---|---|---|---|
Block | !@ | US | Block domains that don't resolve to a United States IP address. |
Block | !@ | CA | Block domains that don't resolve to a Canadian IP address. |
Result: DNS resolutions are blocked unless the domains resolve to servers located in the United States or Canada.
:warning: The method described above imposes greater restrictions compared to Example 1. GCRs use country codes and geo-IP address information to identify countries. If the geo-IP databases can't identify the country (null geo
), then your site navigation will break. In other words, when you say !@US = block
, the null geo
matches this rule since the IP addresses not explicitly labeled U.S. (i.e. the IP address has a missing country code in the database).
Redirect Examples
3) Resolve IP address in a chosen country
You can use a redirect rule to resolve to IPs in the chosen country.
Rule | Location Override | Symbol | Country | Description |
---|---|---|---|---|
Redirect | Mexico City, MX | @ | MX | Redirect domains that resolve to an IP address in Mexico through a Mexican proxy server. |
Result: You're essentially browsing the internet as if you were physically located in Mexico.
4) Resolve foreign domains via a proxy
In this example, let's assume you live in the United States. You can automatically redirect non-US IP addresses through a proxy.
Rule | Location Override | Symbol | Country | Description |
---|---|---|---|---|
Redirect | New York, US | !@ | US | Redirect domains that don't resolve to a United States IP address through a New York proxy server. |
Result: You route any requests originating outside the United States through a proxy server located in New York.
:warning: The method described above imposes greater restrictions compared to Example 3. GCRs use country codes and geo-IP address information to identify countries. If the geo-IP databases can't identify the country (null geo
), then Control D will redirect the request to the proxy. In other words, even if a request originates from the U.S., but it is not labeled as such in the dataset, the null geo
matches this rule since the IP addresses not explicitly labeled as from the U.S. (i.e. the IP address has a missing country code in the database).
Bypass Example
5) Create exceptions for the proxy
This setup is useful if you have the Default Rule set to redirect (read more) and want to make exceptions, to resolve certain requests without a proxy.
Rule | Symbol | Country | Description |
---|---|---|---|
Bypass | @ | US | Domains with a United States IP address are resolved normally. |
Result: All requests are redirected through a proxy via the Default Rule except domains with a United States IP address.
The inverse of this is similar to the chart in Example 4.
:memo: You can also make rules for source IPs, not just destination. Read the docs if you're curious.